Data about minors found unprotected on app server

Mobile app 'TeenSafe' is a paid subscription service which describes itself as "a single and secure method by which [parents] can access and monitor their teen’s digital lives". However, according to a recent discovery by ZDNet, the company has not been storing some of the personal data securely, and tens of thousands of users are thought to be affected. At least one cloud-based server (hosted by Amazon) was found to store unprotected data about their members (both adults and children), which could be accessed without a password.

Screenshot of some of the unsecured data courtesy of ZDNet​

ZDNet alerted the company of the issue, and TeenSafe issued a statement saying that they have now secured the server and begun the process of contacting those affected.

The database stores the parent's email address associated with TeenSafe, as well as their corresponding child's Apple ID email address. It also includes the child's device name -- which is often just their name -- and their device's unique identifier. The data contains the plaintext passwords for the child's Apple ID. Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child's account to access their personal content data.

None of the records contained content data, such as photos or messages, or the locations of either parents or children.

It is somewhat ironic that a service set up to protect minors online is now responsible for a breach of their personal data, and this is likely to be of great concern to TeenSafe's reported one million subscribers.